cromwell icon indicating copy to clipboard operation
cromwell copied to clipboard

Published 20 hours ago verified publisher icon broadinstitute

how to add --privilleged for docker when run cromwell in aws

Open openbioinfo opened this issue 4 years ago • 12 comments

how to add --privilleged for docker when run cromwell in aws

where to add this option ?

openbioinfo avatar Sep 17 '20 08:09 openbioinfo

There’s currently no way to do this. It would need to be added to the part of the code that constructs the job definition.

What is the scenario requiring running as privileged?

On Thu, Sep 17, 2020 at 4:53 AM openbioinfomatics for more people who need it [email protected] wrote:

how to add --privilleged for docker when run cromwell in aws

where to add this option ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/broadinstitute/cromwell/issues/5863, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF2E6ELZ4NI2CUEDCRPJHVDSGHFCJANCNFSM4RQDAKPQ .

markjschreiber avatar Sep 27 '20 20:09 markjschreiber

i plan to run singularity images in docker container.

openbioinfo avatar Sep 28 '20 02:09 openbioinfo

Did you try to implement your own docker-submit in the config file?

guma44 avatar Sep 28 '20 12:09 guma44

no. in aws mode, i dont find docker-submit.

i prefer --privileged=true as default for cromwell with aws as backend.

openbioinfo avatar Sep 30 '20 03:09 openbioinfo

"submit-docker" (sorry for reversal) is one of the configuration option in Cromwell config file. See eg. here how additional volumes are mounted (last section): https://davetang.org/muse/2019/12/24/execute-gatk-workflows-locally. In the same way, you can run docker command that passes --privileged=true option.

guma44 avatar Sep 30 '20 06:09 guma44

thanks for you reply.

i mean in aws backend mode, instead of local mode. there is no option to set submit-docker, i attached the backend part of my aws.conf as follows.

backend {
     default = "AWSBATCH"
     providers {
         AWSBATCH {
             actor-factory = "cromwell.backend.impl.aws.AwsBatchBackendLifecycleActorFactory"
             config {
                 // Base bucket for workflow executions
                 root = "s3://yuce/cromwell-execution"
                 // A reference to an auth defined in the `aws` stanza at the top. This auth is used to create
                 // Jobs and manipulate auth JSONs.
                 auth = "default"

                 numSubmitAttempts = 3
                 numCreateDefinitionAttempts = 3

                 concurrent-job-limit = 16

                 default-runtime-attributes {
                    queueArn: "arn:aws-cn:batch:cn-northwest-1:723230375162:job-queue/first-run-job-queue",
                 }

                 filesystems {
                     s3 {
                         // A reference to a potentially different auth for manipulating files via engine functions.
                         auth = "default"
                     }
                 }
             }
         }
     }
}

openbioinfo avatar Sep 30 '20 07:09 openbioinfo

By "no option to set" do you mean that is not allowed to do this? Cannot you just add this section? Local is just an example. I have UGE backend where I override "submit-docker" to use it with singularity.

guma44 avatar Sep 30 '20 08:09 guma44

yes. i hava tried. in aws mode, cromwell does not support submit-docker.

https://github.com/broadinstitute/cromwell/issues/5863#issuecomment-699685666

There’s currently no way to do this. It would need to be added to the part of the code that constructs the job definition. What is the scenario requiring running as privileged? On Thu, Sep 17, 2020 at 4:53 AM openbioinfomatics for more people who need it @.***> wrote: how to add --privilleged for docker when run cromwell in aws where to add this option ? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#5863>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF2E6ELZ4NI2CUEDCRPJHVDSGHFCJANCNFSM4RQDAKPQ .

openbioinfo avatar Sep 30 '20 09:09 openbioinfo

Ah, OK. This looks like something to add.

guma44 avatar Sep 30 '20 09:09 guma44

We have a similar need. This overlaps a little with #4579. It would be useful if the submit-docker was parameterized similar to how it is for some of the other backends.

scanon avatar Jan 05 '21 22:01 scanon

Thanks for the feedback. Can you elaborate more on the need to be able to run a container as privileged?

It could (in theory) be parameterized if required but it seems hazardous to have this be the default.

On Tue, Jan 5, 2021 at 5:42 PM Shane Canon [email protected] wrote:

We have a similar need. This overlaps a little with #4579 https://github.com/broadinstitute/cromwell/issues/4579. It would be useful if the submit-docker was parameterized similar to how it is for some of the other backends.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/broadinstitute/cromwell/issues/5863#issuecomment-754946394, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF2E6ELZQ5HVOSV2JRMIH3LSYOIVRANCNFSM4RQDAKPQ .

markjschreiber avatar Jan 06 '21 13:01 markjschreiber

One scenario that comes to mind is running anything that requires a docker or singularity server, such as Nextflow. So if you need to run Nextflow as a step in a larger WDL workflow it is going to want to pull images

leipzig avatar Dec 07 '21 00:12 leipzig